In database management systems, data access is typically controlled by a privilege-based mechanism. Privileges can be granted on a system level or an object level. Privileges can also be granted to database roles within a role hierarchy. Thousands of privilege and role grants are normal in today's complex applications. Applications usually do not follow a least privileged model where users or roles are assigned the least privilege scope as possible. In other words, under a least privilege model, a privilege is not assigned to a user or role that does not need the privilege. Instead, applications developers mainly focus on functionality of their respective applications and usually do not invest time to identify minimum privileges required to complete the functionality.
Many (if not most) users of applications have excessive privileges that can be used to access sensitive data belonging to other applications. This becomes a significant problem in a multi-tenant environment. One tenant might be able to use its excessive privileges to view data in other tenants.
This excessive privilege problem also extends to database administration. Some database administrators have been granted powerful system-level privileges. Much of the time these powerful privileges are not required for normal daily maintenance work. Such excessive privilege grants can be used to access restricted corporate data. Currently, traditional database auditing tools are used to monitor activities carried by over-privileged users. However, not all customers turn on auditing on all actions. Also, database auditing involves creating a record for every single action initiated by each user. Thus, auditing tools generate a large amount of audit data and causes performance issues. Furthermore, audit data indicates what has been done. Audit data does not provide information on used or unused privileges for users and applications.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.